<div dir="ltr">Take 2. Sent from the wrong email address!<br><br>Greg</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, 12 Feb 2022 at 08:01, Greg Choules <<a href="mailto:gregchoules@googlemail.com">gregchoules@googlemail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">> "...to use a traditional VPN solution such as DNSSEC ..."<div>DNSSEC is not a VPN service. It is regular, unencrypted DNS on port 53, or whichever port you choose - see the manuals and KB articles for how to configure non-standard ports. DNSSEC adds extra records to provide checks that answers are genuine.</div><div><br></div><div>> "P.S. My guess is that this so-call "security" service is no such thing, or at</div> least its not the only thing. They are probably harvesting DNS lookups<br> to sell as marketing data, or at least that would be my first guess."<div>I would try to establish exactly what Comcast's Security Service is actually doing first, or if this is even the real problem. Run some manual tests between the machines inside and the machines outside to establish whether port number is the problem. e.g. use "dig -p"</div><div><br></div><div>Thanks, Greg</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 11 Feb 2022 at 16:30, Jakob Bohm via bind-users <<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 2022-02-11 16:20, Tim Daneliuk via bind-users wrote:<br>
><br>
> After some months of poking around, we are now certain that our <br>
> so-called "Business"<br>
> service from Comcast is compromising our DNS servers because of their<br>
> execrable "Security Edge" garbage. (They are willing to remove this <br>
> 'service'<br>
> only if we are willing to incur a higher monthly recurring fee.)<br>
><br>
> Our master is in the wild and works fine, but the slave is behind the <br>
> compromised<br>
> Comcast pipe. The effect of having Security Edge in place is that the<br>
> slave cannot get updates from the master and is also unable to resolve<br>
> anything outside our own zone. Comcast is apparently hijacking all port<br>
> 53 requests and doing unspeakable things with them.<br>
><br>
> Is there a way to have these servers work as usual, listening to <br>
> resolution<br>
> request on port 53, but have the slave update AND forward requests to the<br>
> master over a non-standard port, so as to work around the Comcast <br>
> madness?<br>
><br>
> TIA,<br>
> Tim<br>
><br>
> P.S. My guess is that this so-call "security" service is no such <br>
> thing, or at<br>
> least its not the only thing. They are probably harvesting DNS <br>
> lookups<br>
> to sell as marketing data, or at least that would be my first guess.<br>
If bind cannot be configured to avoid a port blocking or filtering 3rd<br>
party filter between two of your own servers, the obvioussolution is<br>
to use a traditional VPN solution such as DNSSEC or OpenVPN to encrypt<br>
all traffic between the two servers. That should pass through any ISP<br>
filters that don't block work-from-home VPNs.<br>
<br>
Enjoy<br>
<br>
Jakob<br>
-- <br>
Jakob Bohm, CIO, Partner, WiseMo A/S. <a href="https://www.wisemo.com" rel="noreferrer" target="_blank">https://www.wisemo.com</a><br>
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10<br>
This public discussion message is non-binding and may contain errors.<br>
WiseMo - Remote Service Management for PCs, Phones and Embedded<br>
<br>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>
</div>
</blockquote></div>